ZPA breaking the DNS communication


Hello Techies,

I have ZPA installed on AWS workspace(windows 10), I am able to reach all the internal apps hosted at the onprem DCs via app connectors but when the ZPA is turned on it is not allowing the local dns to work. for example, local Domain controllers are not resolving hence the global policy update can not take place.

I’ll need a little bit more information: which hosts/domains can’t be resolved locally: your internal ones or also Internet bound domains?

If the former: this would be expected, since ZPA would pick those up. If you also have locally hosted applications within the same domain you could create specific bypasses for them

If the latter: did you define IP-based app-segments in ZPA that include port 53 (both UDP & TCP) which overlap with your DNS? That would break DNS and eventually lead to problems connecting to ZPA itself as well. In general it is recommended not to use broad IP subnets as app-segment, and it’s strongly recommended to exclude port 53 from being defined in them

I have captured some logs while keeping ZPA enabled and found that while requesting the DNS query the host appending the domain name twice which I believe is the issue being caused.

for example Withouit ZPA – webserver.domain.com
while ZPA is enabled — webserver.domain.domain.com